[kitten] SPAKE pa-hint

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[kitten] SPAKE pa-hint

Greg Hudson
Candidate draft changes here:
https://github.com/greghudson/ietf/pull/5/files

For convenience, here is the proposed text.  Keep in mind that (as far
as I know) no one currently implements RFC 6113 authentication sets, so
implementations will generally ignore the new section for the time
being.

10.  Hint for Authentication Sets

   If a KDC offers SPAKE pre-authentication as part of an authentication
   set ([RFC6113] section 5.3), it MAY provide a pa-hint value
   containing the DER encoding of the ASN.1 type PA-SPAKE-HINT, to help
   the client determine whether SPAKE pre-authentication is likely to
   succeed if the authentication set is chosen.

   PA-SPAKE-HINT ::= SEQUENCE {
       groups      [0] SEQUENCE (SIZE(1..MAX)) OF Int32,
       factors     [1] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor
   }

   The groups field indicates the KDC's supported groups.  The factors
   field indicates the KDC's supported second factors.  The KDC MAY omit
   the data field of values in the factors list.

   A KDC MUST NOT include a PA-SPAKE-HINT message in a pa-value field;
   hints must only be provided within authentication sets.  A KDC SHOULD
   include a hint if SPAKE pre-authentication is offered as the second
   or later element of an authentication set.

   The PA-SPAKE-HINT message is not part of the transcript, and does not
   replace any part of the SPAKE message flow.

_______________________________________________
Kitten mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/kitten
Reply | Threaded
Open this post in threaded view
|

Re: [kitten] SPAKE pa-hint

Benjamin Kaduk-2
On Tue, Feb 06, 2018 at 08:15:26PM -0500, Greg Hudson wrote:

> Candidate draft changes here:
> https://github.com/greghudson/ietf/pull/5/files
>
> For convenience, here is the proposed text.  Keep in mind that (as far
> as I know) no one currently implements RFC 6113 authentication sets, so
> implementations will generally ignore the new section for the time
> being.
>
> 10.  Hint for Authentication Sets
>
>    If a KDC offers SPAKE pre-authentication as part of an authentication
>    set ([RFC6113] section 5.3), it MAY provide a pa-hint value
>    containing the DER encoding of the ASN.1 type PA-SPAKE-HINT, to help
>    the client determine whether SPAKE pre-authentication is likely to
>    succeed if the authentication set is chosen.
>
>    PA-SPAKE-HINT ::= SEQUENCE {
>        groups      [0] SEQUENCE (SIZE(1..MAX)) OF Int32,
>        factors     [1] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor
>    }

Do we need to repeat and/or modify the security considerations text
about unauthenticated plaintext in the factors portion of a
challenge with respect to the pa-hint contents?

-Ben

>    The groups field indicates the KDC's supported groups.  The factors
>    field indicates the KDC's supported second factors.  The KDC MAY omit
>    the data field of values in the factors list.
>
>    A KDC MUST NOT include a PA-SPAKE-HINT message in a pa-value field;
>    hints must only be provided within authentication sets.  A KDC SHOULD
>    include a hint if SPAKE pre-authentication is offered as the second
>    or later element of an authentication set.
>
>    The PA-SPAKE-HINT message is not part of the transcript, and does not
>    replace any part of the SPAKE message flow.
>
> _______________________________________________
> Kitten mailing list
> [hidden email]
> https://www.ietf.org/mailman/listinfo/kitten

_______________________________________________
Kitten mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/kitten
Reply | Threaded
Open this post in threaded view
|

Re: [kitten] SPAKE pa-hint

Greg Hudson
On 02/08/2018 09:21 PM, Benjamin Kaduk wrote:> Do we need to repeat
and/or modify the security considerations text
> about unauthenticated plaintext in the factors portion of a
> challenge with respect to the pa-hint contents?

Proposed text, adding a fourth paragraph to the unauthenticated
plaintext subsection:

    Unless FAST is used, any PA-SPAKE-HINT messages included when SPAKE
    is advertised in authentication sets are unauthenticated, and are not
    protected by the transcript hash.  Since hints do not replace any
    part of the message flow, manipulation of hint messages can only
    affect the client's decision to use or not use an authentication set,
    which could more easily be accomplished by removing authentication
    sets entirely.

_______________________________________________
Kitten mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/kitten
Reply | Threaded
Open this post in threaded view
|

Re: [kitten] SPAKE pa-hint

Benjamin Kaduk-2
On Fri, Feb 09, 2018 at 12:31:21AM -0500, Greg Hudson wrote:

> On 02/08/2018 09:21 PM, Benjamin Kaduk wrote:> Do we need to repeat
> and/or modify the security considerations text
> > about unauthenticated plaintext in the factors portion of a
> > challenge with respect to the pa-hint contents?
>
> Proposed text, adding a fourth paragraph to the unauthenticated
> plaintext subsection:
>
>     Unless FAST is used, any PA-SPAKE-HINT messages included when SPAKE
>     is advertised in authentication sets are unauthenticated, and are not
>     protected by the transcript hash.  Since hints do not replace any
>     part of the message flow, manipulation of hint messages can only
>     affect the client's decision to use or not use an authentication set,
>     which could more easily be accomplished by removing authentication
>     sets entirely.

Sounds good.  Thanks!

-Ben

_______________________________________________
Kitten mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/kitten